Skip to content

pwntester/SerialKillerBypassGadgetCollection

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

SerialKiller: Bypass Gadget Collection

Description

Collection of Bypass Gadgets that can be used in JVM Deserialization Gadget chains to bypass "Look-Ahead ObjectInputStreams" desfensive deserialization.

Released as part of RSA 2016 Talk "SerialKiller: Silently Pwning Your Java Endpoints" by Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711).

Details about bypass gadget technique can be found in the following resources:

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Requirements

The current status of this project heavily depends on "YSoSerial". project and the idea is to integrate it there in the near future (see below). It can actually be considered an extension of ysoserial and it reuses some parts of the code and all the payload gadgets in order to facilitate future integration.

Copy the current version (ysoserial-0.0.5-SNAPSHOT-all.jar) to /external and adjust the pom.xml if using a different version.

The following Jar files are required from Weblogic and WebSphere application servers and not distributed with SerialKiller Bypass Gadget Collection. Copy them from your authorized version of the application server to the /external directory.

com.ibm.jaxws.thinclient_8.5.0.jar
com.ibm.ws.ejb.embeddableContainer_8.5.0.jar
com.oracle.weblogic.iiop-common.jar
com.ibm.mq.jmqi.jar
com.ibm.ws.ejb.thinclient_8.5.0.jar
com.ibm.msg.client.jms.jar
com.ibm.ws.runtime.coregroupbridge.jar

Build

mvn clean compile assembly:single

Usage

java -jar target/serialkiller-bypass-gadgets-0.0.1-SNAPSHOT-all.jar <Payload Gadget, eg: CommonsCollections2> <Bypass Gadget, eg: Weblogic1> <Command, eg: 'touch /tmp/test'>

Future

The idea is to integrate this project into YsoSerial project as soon as it supports wrapping payloads in bypass gadgets and handle missing dependencies.

About

Collection of bypass gadgets to extend and wrap ysoserial payloads

Resources

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages